DoS subsystem should compare IPv6 /64

s7r writes:

Our internal DoS defense subsystem should also treat prefixes instead of addresses, because right now with a client with a /64 public IPv6 prefix assigned to it I could hammer via IPv6 guards without triggering the DoS defense.

https://lists.torproject.org/pipermail/tor-dev/2020-February/014144.html

We could make this change by:

• only putting the first /64 of each IPv6 address in the filter list, and
• only checking the first /64 of each new IPv6 connection